7
votes

I'm writing an application that needs to create a special user account hidden from login screens and the Control Panel users applet. By writing a DWORD value of 0 with the user name to the registry key below, I'm able to accomplish this goal:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

The problem is that under Windows 7 with UAC on, no matter what I try, I cannot programmatically write a value to the key above.

It is my understanding that writing to certain keys this is not allowed on Windows 7 with UAC on, unless you are running with Administrative privileges. I've added an application manifest requestedExecutionLevel level="requireAdministrator" uiAccess="false", I accept the UAC prompt when my program is run, my account is a member of Administrators, yet I am still unable to write to the above registry key.

What more do I need to do? How is it possible, in any application configuration, to write keys and values under HKEY_LOCAL_MACHINE\SOFTWARE?

Further information ... When my program runs, no errors are thrown and it seems to write values. My guess is that Windows is virtualizing the location to which I am writing. I need to write to the actual location, not a virtual one, if I am to hide this special user account.

4
They probably are trying to prevent exactly what your trying to do. A hidden account written by malware would be bad for instance.asawyer
Yet this applies to the everything under HKEY_LOCAL_MACHINE\SOFTWARE, not just the specific key I mentioned. Oh, and you can still hide the account by using regedit, or see it using computer management/users.sysrpl
Sorry it was just an off the cuff comment. If I had a good answer for you I'd have used the other box. I'm also very interested in what's acutally going on here.asawyer
Maybe it's not the only place that need to be changed? 'cause as stated it would be too easy for malware software.Ilya Dvorovoy
I swear I've read something like this on Raymon Chen's blog.asawyer

4 Answers

16
votes

Probably the program runs as 32-bit program on the 64-bit operation system? In the case I recommend you to search the values which you created under Wow6432Node subkey of the HKEY_LOCAL_MACHINE\SOFTWARE.

You can read more about such kind of virtualization here. You can use KEY_WOW64_32KEY flag in some API to be able to work with full registry without virtualization.

1
votes

Write Value to Registry

string user = Environment.UserDomainName + "\\" + Environment.UserName;

RegistrySecurity rs = new RegistrySecurity();

rs.AddAccessRule(new RegistryAccessRule(user,
    RegistryRights.WriteKey | RegistryRights.ChangePermissions,
    InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny));

RegistryKey rk = null;
try
{
  rk = Registry.CurrentUser.CreateSubKey("SOFTWARE\\TEST", 
                                   RegistryKeyPermissionCheck.Default, rs);
  rk.SetValue("NAME", "IROSH);
  rk.SetValue("FROM", "SRI LANKA");
}
0
votes

This could have something to do with the redirection they added in Vista. I would be curious if you tried to read that registry value from your code, if you would get back the value you were expecting. You may also want to fire up RegMon to see if you can see where the redirection may be forcing you.

-1
votes
RegistryKey rk = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run",true);
rk.SetValue("Name", "Value");